“The bulletin does not state what level of privileges are required to exploit…”
Patch Tuesday looks a little more substantial this month, with Microsoft security updates now available to address a total of 74 vulnerabilities, 13 of them labelled critical, including one zero day being actively exploited in the wild.
The fixes are up from last month’s 60 CVEs; nine of which were critical. Security teams are being urged to update their systems as soon as possible.
One of the patches (CVE-2019-1429) is for a remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. This has been reported by Microsoft as being actively attacked in the wild.
Chris Goettl, Director of Security Solutions at Ivanti said in an emailed comment: “The vulnerability only gains them equal access to the current user, so proper privilege management would mitigate the attacker’s ability to take full control of the system without using additional elevation of privilege exploits.
He added: “For attack vectors, an attacker could craft a website or embed an ActiveX control marked with ‘safe for initialisation’ in an application or Office document that hosts the IE rendering engine. Security training on common phishing and user-targeted attack methods could further reduce the risk of this vulnerability being exploited. But since it is already being exploited in the wild, it is highly recommended to get the patch rolled out quickly to resolve the vulnerability completely.”
Microsoft Security Updates Span 13 Critical Vulns
Of the 13 critical vulnerabilities, five are for browsers and scripting engines.
Out of the eight other critical vulnerabilities, four are potential hypervisor escapes in Hyper-V.
There are also vulnerabilities in Microsoft Exchange, Win32k, Windows Media Foundations, and OpenType, Microsoft said in its monthly update.
The critical vulnerability (CVE-2019-1373) in Microsoft Exchange also stands out, but scant details have emerged. As Jimmy Graham, Senior Director of Product Management at Qualys notes: “The bulletin states that the user must execute PowerShell cmdlets against the Exchange server, but the bulletin does not state what level of privileges are required to exploit. With this being unknown at this time, it is recommended that this patch be prioritized for any Microsoft Exchange servers.”
Ivanti’s Goettl adds: “Microsoft has resolved a publicly disclosed vulnerability (CVE-2019-1457) in Excel that could bypass security features.
“An attacker could embed a control in an Excel worksheet that specifies a macro should be run. Whatever is executed in the macro that was triggered by bypassing the security settings of Excel would be the real risk of this vulnerability. This vulnerability is not currently being exploited in the wild, but since it has been publicly disclosed, threat actors have had a jump start on being able to develop an exploit to take advantage of the CVE. This puts the vulnerability at higher risk of exploitation.”